Hi,
I am trying to make API service call using wwHttp. API server is using basic http auth (user + password). But server is still returning {"code":403,"exception":"Wrong auth credentials."}
If I try to make call using Postman - select "Basic auth" and fill same username and password - everything works just fine.
My foxpro code:
Do wwhttp
loHttp = CREATEOBJECT("wwHttp")
loHttp.cContentType="application/json"
loHttp.cusername = "secret_username"
loHttp.cpassword = "secret_pwd"
lcResult = loHttp.post("https://www.123kuryr.cz/atol-api/order/ticket", m.lcJsonData)
Am I missing something? Can I get source code of http call to compare it with source code from Postman for example?
Thank you for any help.
EDIT: If i try to manually add auth token generated from username+pwd by Postman, it works.
loHttp.AddHeader("Authorization","Basic emFrYXpuaWtAd...secret...")

That's most likely because the server is not challenging requests with a 401 first I suspect. WinInet doesn't pre-authenticate because it doesn't know what protocol you want to use as it supports many so the server has to provide the supported auth mechanisms first.
So if you want to send it immediately you have to manually send it.
I added a method to wwHttp
that provides this immediate header in wwHttp.prg
:
************************************************************************
* AddBasicAuthenticationHeader
****************************************
*** Function: Adds an Authorization header with Basic Auth
*** username and password encoding
*** Assume: Username and password have to have values
*** Pass: lcUsername - user name to log in
*** lcPassword - password to log in
*** Return: nothing
************************************************************************
FUNCTION AddBasicAuthenticationHeader(lcUsername, lcPassword)
LOCAL lcKey
IF EMPTY(lcUsername) OR EMPTY(lcPassword)
RETURN
ENDIF
lcKey = STRCONV(TRIM(lcUserName) + ":" + TRIM(lcPassword),13)
THIS.AddHeader("Authorization","Basic " + lcKey)
ENDFUNC
* AddBasicAuthenticationHeader
Thank you very much ... for explanation as well as for code.
I didn't realize that these credentials are just converted to base64.
Yeah, Basic Auth is not secure and not meant to be. But this is also why most services these days don't use Basic Auth but some sort of renewable authentication token (Beaer Authentication).
+++ Rick ---